Privacy Policy

Scatter (scatterone.com) ("Scatter", "we", "our", "us") operates the website scatterone.com and the Scatter web application (the "Service").

This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what rights you have over your data. By using the Service, you agree to this policy. If you do not agree, please do not use the Service.

This policy applies to all users of Scatter, including visitors to our website, registered users, and anyone who connects a social media account to our Service.

Account information

• →Name, email address, and profile picture — provided when you register via Clerk (our authentication provider).
• →Password credentials — handled and encrypted by Clerk. We never see your raw password.
• →If you sign in via Google, GitHub, or another social provider, we receive your name and email from that provider.

Social media account tokens

• →When you connect a social platform (X, Instagram, LinkedIn, etc.), we store the OAuth access token and refresh token issued by that platform.
• →These tokens allow us to post on your behalf. They are stored encrypted in our database and never shared with third parties.
• →We store the minimum token data required — typically access token, refresh token, and expiry timestamp. We do not store your social media passwords.

Content you create

• →Post content (text and media) that you write in the Scatter composer.
• →Scheduled post times and platform selections.
• →Media files (images, videos) you upload — stored via Cloudinary, our media hosting provider.

Usage data

• →Which features you use and how often (e.g. how many posts you schedule, which platforms you post to).
• →AI caption generation and improvement requests — logged for usage-limit enforcement only, not for training AI models.
• →Approximate geographic region (country-level) for analytics purposes.

Billing data

• →Payment information is processed by Stripe. We do not store your card number, CVV, or full card details — only the Stripe customer ID and subscription status.
• →Billing history and subscription plan are stored in our database to enforce plan limits and display your billing status.

Technical data

• →Browser type, operating system, and device type — collected via standard web server logs.
• →IP address — used for rate limiting and fraud prevention.
• →Cookies and session tokens — see Section 6.

We use your data only to operate and improve the Service:

• →To post content to social platforms on your behalf when you request it.
• →To schedule and deliver posts at the times you specify, using our background job system (Inngest).
• →To enforce plan limits (post counts, AI credit quotas, platform limits).
• →To send notifications about post delivery success or failure, if you enable them.
• →To process payments and manage your subscription via Stripe.
• →To display analytics about your posting activity (reach, platform breakdown, best posting times).
• →To generate AI-assisted captions using your content and topic as input — content sent to our AI provider (DeepSeek or Anthropic) is not used to train their models under their enterprise terms.
• →To respond to your support requests.
• →To detect and prevent abuse, fraud, or violations of our Terms of Service.
• →To improve the Service through aggregate, anonymised usage analytics.

We do not use your data to serve advertisements. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We share data with the following categories of third-party service providers, strictly to operate the Service:

We may also disclose your data if required by law, regulation, or valid legal process, or to protect the rights, property, or safety of Scatter, our users, or the public.

When you connect a social platform to Scatter, you are granting Scatter permission to act on your behalf using that platform's OAuth system. This means:

• →We request only the minimum permissions required to read your profile and publish posts.
• →Your credentials (username and password) are never seen or stored by Scatter — only the OAuth tokens issued by the platform.
• →Each platform's own privacy policy governs how they handle your data. Connecting to Scatter does not change your relationship with those platforms.
• →You can revoke Scatter's access at any time — either from the Platforms page inside Scatter, or directly from that platform's authorised apps settings.
• →When you disconnect a platform, we immediately delete the associated OAuth tokens from our database.

Links to each platform's privacy policy:

• →X (Twitter): https://twitter.com/en/privacy
• →Instagram / Facebook / Threads (Meta): https://privacycenter.instagram.com/policy
• →LinkedIn: https://www.linkedin.com/legal/privacy-policy
• →TikTok: https://www.tiktok.com/legal/page/us/privacy-policy
• →YouTube (Google): https://policies.google.com/privacy
• →Reddit: https://www.reddit.com/policies/privacy-policy

We use a small number of cookies strictly necessary to operate the Service:

• →Session cookie — issued by Clerk to keep you signed in. Expires when your session ends or after 30 days, whichever comes first.
• →Onboarding cookie (scatter_onboarded) — a short-lived first-party cookie that records whether you've completed onboarding. No personal data stored.
• →Theme preference — stored in localStorage (not a cookie) to remember your light/dark mode choice. No personal data.

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that follow you across sites. We do not use Google Analytics, Facebook Pixel, or similar cross-site trackers.

You can disable cookies in your browser settings. Disabling the session cookie will prevent you from signing in.

• →Account data — retained for as long as your account is active. Deleted within 30 days of account deletion.
• →Post records — retained indefinitely while your account is active so you can view your history. You can delete individual posts or all posts at any time from Settings → Danger Zone.
• →OAuth tokens — deleted immediately when you disconnect a platform, or within 30 days of account deletion.
• →AI usage logs — retained for 12 months for usage-limit enforcement, then deleted.
• →Billing records — retained for 7 years as required by financial regulations, even after account deletion.
• →Server logs (IP addresses, request metadata) — retained for 30 days, then deleted automatically.

Depending on your location, you may have the following rights regarding your personal data:

• →Right of access — request a copy of the personal data we hold about you.
• →Right to rectification — correct inaccurate or incomplete data.
• →Right to erasure (“right to be forgotten”) — request deletion of your account and all associated data.
• →Right to data portability — export your post data as JSON from Settings → Data → Export.
• →Right to restrict processing — ask us to pause processing your data in certain circumstances.
• →Right to object — object to processing based on legitimate interests.
• →Right to withdraw consent — disconnect any social platform at any time; cancel your subscription at any time.

To exercise any of these rights, email us at privacy@scatterone.com or use the self-service tools in your Settings page. We will respond within 30 days. We may ask you to verify your identity before processing a request.

If you are located in the European Economic Area (EEA), United Kingdom, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively. We honour all of these rights regardless of your location.

If you believe we have mishandled your data, you have the right to lodge a complaint with your local data protection authority.

The Service is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at privacy@scatterone.com and we will delete it promptly.

We take security seriously and implement industry-standard measures including:

• →All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• →OAuth tokens are stored encrypted at rest in our database.
• →API keys are hashed using SHA-256 — we never store the raw key after it is shown to you once at creation.
• →Access to production systems is restricted to authorised personnel only.
• →We use row-level security on our database so queries are automatically scoped to the authenticated user.
• →Rate limiting is applied to all API endpoints to prevent abuse.

No method of transmission over the internet is 100% secure. While we work hard to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at privacy@scatterone.com.

In the event of a data breach that affects your personal data, we will notify you and any applicable regulatory authority within 72 hours of becoming aware of the breach, as required by GDPR.

Scatter is operated from the United Kingdom. Your data may be processed and stored in the United States and other countries where our service providers (Supabase, Vercel, Stripe, Clerk) operate.

Where we transfer data from the EEA or UK to a third country, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions. Our key providers (Stripe, Vercel, Cloudinary) maintain EU–US Data Privacy Framework certification or equivalent safeguards.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• →Update the “Last updated” date at the top of this page.
• →Email registered users at the email address associated with their account.
• →Show a notice in the Scatter app on your next login if the changes affect how we use your data.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the new policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us: